本文介绍了如何安全是Windows Azure的内部端点?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个Web角色前端MVC应用程序,通过WIF和ACS,我想是我的Azure应用程序的唯一暴露的表面保护。它连接到一个数的后端服务,一些工人的作用和一些(在VS添加服务引用的方便,或者是因为它们使用WCF数据服务)的网络的作用。后端服务的角色只有内部端点。

I have a front end MVC application in a web role, protected by WIF and ACS, which I would like to be my Azure application's only exposed surface. It connects to a number of back end services, some worker roles and some (for the convenience of adding service references in VS, or because they use WCF Data Services) web roles. The back end service roles have only internal endpoints.

我从MS文献的理解是,内部端点只提供给具有相同部署的其他角色。鉴于此,它似乎是多余的应用任何一种运输或消息安全,或认证时,MVC Web角色和后端服务,这是presumably之间的HTTPS为什么不提供内部端点。

My understanding from the MS literature is that internal endpoints are available only to other roles with the same deployment. Given this, it seems redundant to apply any kind of transport or message security, or authentication, between the MVC web role and the back end services, which is presumably why https is not available on internal endpoints.

我的问题是:如何安全是什么?有什么办法端点能够从比我们部署的角色之一的任何其他被发现的?没有任何理由承担在任何角色间的绑定额外的安全性的开销?

My question is: how secure is this? Is there any way an endpoint could be discovered from anything other than one of our deployed roles? Is there any reason to incur the overhead of additional security on any of the inter-role bindings?

推荐答案

一个服务再presents隔离边界,除非你声明的端点为输入端点,它不能被这种隔离边界之外访问。这个边界的实现是一个私人的网络分支,没有寻址能力等分支机构。

A service represents an isolation boundary, unless you declare an endpoint as an "input" endpoint, it cannot be accessed outside of this isolation boundary. The implemetation of this boundary is a private network branch with no addressability to other branches.

记住内部端点负载不均衡。因此,有一个权衡。我的一段时间回来,这可能有助于巩固事情有点。

Keep in mind that internal endpoints are not load balanced. So there is a trade off. I wrote some stuff up on endpoints awhile back that might help consolidate things a bit.

这篇关于如何安全是Windows Azure的内部端点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-22 07:20